A Healthcare Giant's Journey to Evaluate Risk, Strengthen Data Use Licensing Agreements with Third-Party Vendors

A Healthcare Giant's Journey to Evaluate Risk, Strengthen Data Use Licensing Agreements with Third-Party Vendors

Although this story involves a large healthcare client, it is a cautionary tale for organizations in virtually any industry: Contracts with third parties often comprise a company's most valuable assets, making it critical for organizations to regularly monitor obligations and compliance within their third-party contract universe.

In this case, the client became aware of potential violations of their Data Use License Agreement (DULA) with a primary third-party licensee. Primary licensees often have downstream vendor contracts which allow for the defined use of the data obtained through the primary's DULA. These defined uses often include the provision that data cannot be sold or used in any way by a competitor of the data owner. The client and data owner learned that its data was being used in violation of the terms of the DULA and engaged Protiviti, as an independent third party, to analyze the processes and controls around data use that the primary licensee had in place. The client wanted to better understand if there were gaps or inconsistencies within specific terms in both their DULAs and the maturity of the primary licensee's data governance policies, including how those policies were documented and being executed.

The primary challenge for the client was assessing compliance with agreement terms, and ensuring proper flow downs terms associated with downstream use of its data obtained through its DULAs in a way that would minimize non-compliant usage and the need for enforcement or litigation. Additionally, the client wanted to ensure these agreements would enhance operational efficiency without jeopardizing misappropriation of proprietary information. This also gave the client an opportunity to evaluate its relationship with the licensee and gave more perspective on its own DULA and how it could be strengthened, which would affect not only this licensee, but others as well.

Solution Collaboration

Protiviti's legal consulting and technology consulting experts - working on parallel tracks - partnered with the client to develop a two-pronged approach. Under tight deadlines, we:

• Conducted a comprehensive contract review: Our legal consulting team conducted employee and stakeholder interviews and reviewed the Contracts between the parties and related documents. The objective was to develop a deep understanding of the relevant contract terms, and how those terms were being effectuated within the licensee's operational environment. The legal team identified areas of potential risk of non-compliance within the operational environment, while also identifying areas where contract terms might be enhanced or further clarified. The team also learned how the third party was executing agreement terms, comprising usage patterns compared to licensed allowances, and identified areas of potential non-compliance or potential risks.
• Conducted a technology deep dive: Concurrently, our technology consulting group did an in-depth review of relevant systems, data protection controls, and overall data governance strategy and efficacy. This evaluation included a review of controls pertaining to data extraction from the client's systems, how data was being stored (if it was being stored) within existing systems, and how data was being transferred to other downstream third parties.
• Provided recommendations: Based on observations and analyses, the Protiviti team recommended enhancements to contact language around data sharing, Data use licensee audit rights, and downstream third-party use of data. Protiviti also provided insights and specific recommendations to both the client and the licensee regarding specific gaps in the data governance infrastructure, which both parties rely on to ensure compliance with the license agreement.

Data is the lifeblood of every organization. It is critical for the data owner and its third-party contractors to know how data is being used and governed.

Leadership